frenz48 — 2012-12-07T13:51:09-05:00 — #1
So today my boss/manager walks in after a meeting,
"your project, its going on a rented server."
Well, not those words exactly, but the result is clear to me.
Where before it was behind a company firewall, and did not need exposure to the internet, it now needs tight security.
It needs all management available from a web interface. I had intended to remotely log on, or even put files on the server by local network/simpler means.
And what bothers me most, a bigger, more complex project and codebase...
I have picked up Netbeans, before i started on this project. It has refactoring and Git built-in and i was hoping to profit from this.
I have a decent understanding of php itself, and am trying to use a modular approach to this project to improve mantainability after launch(Classes).
Now, what i need help with, is organizing such a project. I had figured out what the actual application needs to do, now i need to add more management to it. How do i manage a larger project, is there some resource to learn from, a book to get?
Secondly, security... i THINK i have the right thoughts down from reading about security... Essentially use a peer-reviewed and well-used system. Use a salt and/or pepper in a hash in case of a DB leak. i got the phpmaster book which i believe to be great on those points.
Even so, i have never actually made a secure logon system... loooking for a resource or book here too.
I have rambled on... for too long.
Thanks in advance.
kylewolfe — 2012-12-07T14:21:19-05:00 — #2
So the big bullet points before taking this thing offsite IMO are going to be 1) sql sensitization and 2) as you stated, private data security in case of breach.
I'm not sure this thread went exactly where I wanted it to, but it might bring something useful to you: http://www.sitepoint.com/forums/showthread.php?904383-Let-s-talk-security
How large of a project are we talking? Is it built on a framework such as Zend / CodeIgnitor?
frenz48 — 2012-12-07T14:36:41-05:00 — #3
No large frameworks as i am not comfortable with others work, or large constructs.
This project is going to be closed down... Which is to say manually create user accounts. I want tight security, because it will be somewhat sensitive information. I'm thinking https might be a good thing.
SQL sanity = PDO parameterized values, prepared statements. am i right?
kylewolfe — 2012-12-07T14:38:23-05:00 — #4
It's a start.. what kind of sensitive data?
frenz48 — 2012-12-07T14:52:02-05:00 — #5
Student information, and school plans used in conjunction to make personalized plans for each student, delivered as a word download.
I do not intend to store more than names as comes to personal information... But at some point it might interest someone to get at it... If even a script kiddie or teacher with some knowledge...
Main point though. It should only be accesible by teachers and staff.
I believe i can pull off the application, the security i will have to test thoroughly. BUT i am seriously doubting my ability to hold all the details organized neatly. thats where id need the most help right now, i can always come back to security BEFORE deploying.
And it'll be the biggest thing ive done to date, which means i want to take a precaution to make sure i understand it 6 months after its done.
kylewolfe — 2012-12-07T15:12:12-05:00 — #6
Perhaps some ip address restrictions could be of use?
frenz48 — 2012-12-07T15:40:06-05:00 — #7
Thanks for the help on this. IP restrictions could come in handy, will have to consider the possibility.
Now, sleep, then think this over tomorrow on a refreshed brain.